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Abstract. A fertile field of research in theoretical computer science investigates the rep- 
resentation of general recursive functions in intensional type theories. Among the most 
successful approaches are: the use of wellfounded relations, implementation of operational 
semantics, formalization of domain theory, and inductive definition of domain predicates. 
Here, a different solution is proposed: exploiting coinductive types to model infinite com- 
putations. To every type A we associate a type of partial elements A v , coinductively 
generated by two constructors: the first, r a~ 1 just returns an element a: A; the second, >x, 
adds a computation step to a recursive element x: A v . We show how this simple device 
is sufficient to formalize all recursive functions between two given types. It allows the 
definition of fixed points of unitary, that is, continuous, operators. We will compare this 
approach to different ones from the literature. Finally, we mention that the formalization, 
with appropriate structural maps, defines a strong monad. 



Type theory is — we often claim — a rich functional programming language with depen- 
dent types and, at the same time, a constructive logical system. This view is consistently 
adopted in Martin-Lof's type theory |391 148j . However, a serious limitation of type theory 
with respect to standard functional programming languages is that all computations must 
terminate. This restriction has two reasons. First, to decide type-checking of dependent 
types, we need to reduce type expressions to normal form (see the work by Barendregt 
and Geuvers [3] for a good exposition of technical issues of type-theoretic proof assistants). 
Second, since propositions are represented by types and proofs by programs, according to 
the Curry-Howard isomorphism |371 1281 |IJ we cannot allow non-terminating proofs, 
because they would lead to inconsistency. 

There have been attempts to overcome both problems in the literature, starting from 
the work of Paulson [Hi] and Nordstrom • 

There are implementation of extensional type theory for which the type-checking prob- 
lem is undecidable, notably Nuprl [20]. In such a system the correctness of a judgment 
cannot be determined by just analyzing the terms, but a supplementary proof must be 
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given. In principle, a complete type-checkable term can be generated from such proof. 
Types of partial functions have been devised by Constable and added to Nuprl [2"TT 122] . 

Geuvers, Poll, and Zwanenburg [2U] added a fixed point operator Y to type theory and 
proved the conservativity of the extension. This means that a judgment derived in the 
extended system and not containing Y can be derived in the non-extended system. This 
allows the use of Y for proof search: We construct a proof containing Y, then we reduce it; 
if we obtain a term not containing Y, we have a valid proof. However, statements about 
diverging elements cannot be proved, because valid proofs cannot contain Y. 

Recent research has tried to find good representations of general recursive functions 
in type theory following various avenues: Balaa and Bertot used well-founded recursion 
0; Dubois and Donzeau-Gouge and, independently, Bove and Capretta used inductive 
characterizations of domain predicates j^Hl HH EES! EGO EI ; Bertot, Capretta, and Das Bar- 
man combined the two methods to give a semantics of imperative programming and 
Bertot extended the work to coinductive types |12j : Barthe and others used type labeling to 
strengthen termination conditions [?[[§]; McBride and McKinna used views, that is, different 
potential inductive characterizations of data types |1T] . 

The first problem is how to represent partial functions. The most popular way consists 
in seeing a partial function / : A B as a total function defined on a subset of the type A. 
In intensional type theory, a subset of a type is represented by a predicate D : A — > Prop. 
A partial function is represented by a term /: IIx: A.(D x) — > B, provided that the result 
is not dependent on the proof of the predicate, that is, for x : A, if p\ and p 2 are two proofs 
of (D x), then (/ x pi) = (/ x p 2 )- 

This formalization of partial functions has two defects. First, if we want to define the 
type of partial functions from A to B, we need second order sum types: 

A B = ED : A — > Prop. 

£/: ILx; A.(D x) -> B. 

Vx: AVpi,p 2 : (D x).(f x pi) = (/ x p 2 ). 

This requires either an impredicative type theory IM21 124j or a predicative theory with 
type universes [30] • ^ n ^ ne second case, there are some difficulties when we try to define the 
predicate inductively from the recursive equations of the function: The counterexample Itz 
in cannot be formalized without impredicativity. Second, diverging elements are not 
represented. We can apply a partial function only to the elements in its domain, but we 
cannot translate an expression (/ o) if a does not satisfy D. 

I propose a different approach. The type of partial functions from A to B is defined as 
A — > B u , where B v is a type in which B can be embedded and that contains terms repre- 
senting partial elements. The standard choice in the semantics of programming languages 
is to put B v = B + {-L}, where {_L} is a one-element set [53] This solution does not 
obtain in type theory. Sum types are decidable, that is, it is decidable whether an element 
of B + {_L} is in B or is _L. This would imply that we can decide when a function diverges. 
It is then clear that not all recursive functions are representable. However, adopting ideas 
of Scott [S3] we can constructivize this notion by formalizing finite elements and then take 
the filter completion. This approach was adopted by Michael Hedberg [33j, who formalized 
constructive domain theory as a step toward a model of partial type theory inside total type 
theory. 

Instead, here we choose as B v a certain coinductive type. Coinductive types were first 
introduced in type theory by Hagino [S3]) their second order implementation was studied 
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by Wraith [£1] and Geuvers [22]. The version we use here was developed by Coquand [23] 
and implemented in Coq by Gimenez [3Uj . 

Before defining B v formally, let us see the model of computation on which it is based. 

We give a description of computable functions that is Turing complete and is as simple 
as standard formalizations like Kleene's recursive functions, the pure A-calculus, and Turing 
machines. It has the advantage that it translates easily in type theory. 

We start with a system AAi g containing algebraic data types with definition by cases 
and function types with A-abstraction and application. Then we introduce a new rule Iter 
to define functions. To define a function / from a type A to a type B we assign to every 
element x of A either directly a value b in B, and we indicate it by r 6 n , or another element 
a' in A, and we indicate it by >a'. In other words, we give a function g: A — > A + B and we 
indicate by > • and r - n the left and right injection, respectively. The rule Iter states that 
we obtain a function / = (iter g) : A — > B : 

f:A 7 B g:A-+A + B g:A ^ A + B 

a\ i— ► 1 b 1 means a% = inr b 



. , , / = (iter g): A -> B' 

The function / has the following computation behavior. The computation of / on input 
a proceed recursively: If {g a) = inr b, then the computation of (/ a) terminates with result 
b; if (g a) = inl a', we proceed to the computation of (/ a') and let (/ a) (/ a'): if, 
continuing in the process, we eventually obtain a result (/ a') = b, then we put (/ a) = b; 
on the other hand, if the evaluation always gives a new element of A on which to compute /, 
then the computation will continue indefinitely and the value of (/ a) will be undetermined: 

/ cji ~~» b 
f a 2 ~» / a'. 

Theorem 1.1. The system AAig + Iter is Turing-complete. 

Proof. We give just an outline of the proof. A complete version of it, formalized in type 
theory, is given later (Definition 14. II and Theorem 14. 2jl . We show that all recursive functions 
can be programmed. The zero constant, successor, and projections can be defined directly 
by constructors and cases. 

Let / be defined by primitive recursion, that is, given g: N n — > N and h: N n+2 — > N, 
we have 

/ . N n+1 -> N 
(/ x 0) = (g x) 

(/ x (y + 1)) = (h x y (f x y)). 
We use a technique called continuation-passing style programming, that consists in seeing 
programs as maps on functions [SB]- We add a functional parameter and define a function 
on N n x (N — > N) x N using definition by cases and the rule Iter: 

(x,u,0) i ^ r (u (5 x)) n 

(x, u, y + 1) 1— > >(x, Az.(u (hxy z)),y). 

Call /+ the function so defined, /+ : N n x (N -» N) x N -> N. Then we put 

/ : N n+1 -> N 

/ x y = /+ (x,id,y). 
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Let / be defined by minimization, that is, given g: W 

f x = min y.(g x y) 



N, we have 



where min y.(g x y) denotes the least natural number y for which {g x y) = if this value 
exists, it is undefined otherwise. Also in this case we use the technique of accumulating 
results by adding a new natural number parameter containing the partial result. We use 
Iter to define a function /+ on N n+1 . 



The definition of a recursive function / : A — > B is then given by a map from A to A+B, 
if we write t>a and r b~ 1 for the left and right injections, respectively. Such a function is a 
coalgebra for the functor FbX := X + B. (See [HE] and |2j for elementary introductions to 
coalgebras.) We recall the categorical notion of coalgebra: A coalgebra for an endofunctor 
F is an object A together with a morphism u: A — > FA. If the functor F has a final 
coalgebra i/F, 7 : vF — > FvF, then all coalgebras can be embedded in it. This means that 
if A and u constitute an F-coalgebra, then there is a unique morphism u: A — > vF such 
that 7 o u = Fit o u. In type theory, final coalgebras are modeled by coinductive types. Let 
then B v be the coinductive type associated to Fb- Then, as we have said, every coalgebra 
u: A — > A + B defines a function u: A — > B v . In conclusion, we can model partial recursive 
functions from a type A to a type B in type theory by elements of A — > B v . 

The rest of the paper formalizes this idea and compares it with other formalizations of 
partial recursive functions. 

Section 21 gives a succinct introduction to type theory, with special emphasis on recur- 
sive (inductive and coinductive) types. Section E] presents the type constructor for partial 
elements, the formal definition of convergence and divergence, and the formal proofs of ba- 
sic properties. Section 21 contains the representation of general recursive functions in type 
theory using the type for partial elements. Section El tackles the insidious problem of the 
representation of nested recursive functions. Section El shows how to construct least fixed 
points of function operators. Section discusses a variant of the construct that supports a 
lazy evaluation order. Finally, Section El proves that the constructor for partial elements is 
a strong monad. 

The whole development has been completely formalized using the proof assistant Coq 
|57j . version 8. Specifically, every numbered definition has been formalized and all numbered 
lemmas and theorems have been proved formally; with the exception of the content of 
Section El that we can see as a consequence of the the more abstract results of Section El 
The main results, both in this article and in the Coq development, are Theorems 16. 191 and 
16.201 The examples of nested recursive functions of Sections El have also been programmed 
in Coq. The file of the formalization is available on the author's web site: 

http : //www. science .uottawa. ca/~vcapr396/ 




r y n if (9 x y) = 

>(x, y + 1) otherwise. 



This defines a function / + : N 



N. Now we just put 

/ : N n -> N 
fx=(f+x0). 



□ 
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2. Type Theory and Recursive Types 

We work in a dependent type theory with inductive and coinductive types. If you are 
familiar with this kind of system, you can skip this section. See @], [Sj, or [Bj for a good 
introduction to dependent type theory. We work in a system consisting of the the 
pure type system AP with the addition of sum types and (co)inductive types. We use a 
formulation of (co) inductive types as recursive sum types, as in [50] . 

We use some simplifying notation to make the treatment more intuitive and concise. 
We write both Type and Prop for the sort of small types, usually denoted by * in AP, to 
distinguish computational from logical types and to facilitate applications to other type 
systems in which these sorts are distinguished. If T is a valid context and A is a sequence 
of assignments of types to variables, we write T h A valid to express that T, A is also a 
valid context. We denote by ~xa the sequence of variables assumed in A. 

If A = x\ : Ai, . . . , x m : A m and d = d\, ■ ■ ■ , d m is a sequence of pseudo-terms, then the 
judgment V \- d\: A expresses the conjunction of the judgments 

rhdi: Ax, 
rH 2 : A 2 [d 1 /x 1 ], 

r h d m - A m [d\/xi, . . . ,dm-i 

If r, A h t : T and r h d:: A, we write t[d] for t[d\/x\, . . . , d m /x m ], leaving it implicit that 
we are substituting the last n variables in the context of t. To avoid confusion, we may 
sometimes introduce the term t as t[x±, . . . , x n ].. 

If r, A h B : Type, we write IIA..B for the successive product of B over each of the 
variables in A: UA.B = Uxi : A1.U.X2 : A2 ■ ■ ■ Hx n : A n .B. We also use the notation (A)B 
for UA.B. 

We add constant definition to the system, that is, if T h e: T, then we can add a 
declaration of the form t := e to the context, with the typing rule T,t := e h t: T and 
the reduction rule t e. A constant name can be declared at most once. The classes of 
names for variables and constants are disjoint. However, sometimes we use the same name 
in different fonts to denote a variable and a constant. It will then be understood that the 
variable is automatically substituted with the constant whenever the latter is defined in the 
context. For example, if we have T,t: T h u: U and T h e: T, we write f,t:=ehu: U for 
r,t:=ehu[t/i]: U. 

Sum types are specified by a sequence of constructors with arguments of previously 
defined types. 

Definition 2.1. Let T be a valid context and assume that the following judgments are 
derivable: 

r h A valid, 
r h Oj valid, 

r,Gi \-pi-- a 

for 1 < i < n. Let T and Ci, . . . , c n be new constant names. Then we can add the definition 
of the sum type 

' Cl : (6i)(TpT) 
Sum T [A] : Type := < : 

C n - (@n)(T p£) 
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in the context T. Let V be the extension of V with this sum type definition. We have the 
following rules for T: 

Formation: 

r' h d:: A 



Introduction: 



V h(Td): Type 
f'ha:: 8, 



for 1 < i < n; 



Ph(q a): (T p-[a]) 
Elimination (definition by cases): 

T'hP: (A)(T xa) ^Type 
r / ,9 1 he J : (Pp?(q se7)) l<i<n 
r h d:: A_ 
r' h t: (T d) 



F h Cases i of ^ 



Reduction: 
/ 

Cases (cj o) of < 

V 




(P d t) 



ej[a/xej for 1 < i < n. 



(cn xej ^ e n J 

When a function is defined by case analysis, we use a pattern matching notation to 
facilitate reading. A function 

f: (A)(t: (T x£))(P xa t) 

(ci i ^ ei 

f = Axa:: A. At: (T xa). Cases t of < : 



is written 



f:_(A)(t^(TSA))(PxAt) 
f pi (ci x§7) = ei 



f p n (c n x e J = e n . 

We formulate both inductive and coinductive types as recursive sum types. By this we 
mean that the type T may occur in the types of arguments of the constructors 0j. The only 
restriction is that these occurrences must be strictly positive. See |25[ 130] for the notion of 
strictly positive occurrence. 

Inductive and coinductive types were introduced in typed A-calculus by Hagino in [,VA\ 
134] with the name of categorical data types. In [HJ an d |2Z1 their expression in polymorphic 
typed A-calculus was studied. 

In our formulation, inductive and coinductive types have the same rules as sum types 
plus a fixpoint rule for inductive types and a cofixpoint rule for coinductive types allowing 
the definition of recursive functions. 
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Inductive types were introduced in dependent type theory in |2£] (see also [5^, |^9] - 
and [S3). Coinductive types were studied in [121 ESI US] • The version given here comes 
from jHU] and is the one implemented in the proof tool Coq |56j . 

Definition 2.2. We make the same assumptions as in the definition of sum types, except 
that 

r, T : ( A)Type h 6, valid T,T: ( A)Type, 0, h pi ■■ A 
with T occurring only strictly positively in 6j, for 1 < i < n (see (HO]) Section 2.2, pg.43, 
for the definition of strict positivity). Let T and Ci, . . . , c n be new constant names. Then 
we can add the definition of the inductive type 

' ci: (ei)CTpT) 
Inductive T [A]: Type := < : 

c n : (6 n )(T pH) 

in the context T. Let V be the extension of V with this inductive type definition. We have 
the same rules as for sum types, plus the following: 
Fixpoint: 

fhP: (A)(Txa) ^Type 

F'J: (A)(t: (JxA))(PxEt),A,t: (T x£) h e : (P x£ t) 

r'h(fix[/,5A,*] e ): (A)(t: (JxE))(PxZt) U ' ' ^ 

where V{f,t,e} is a side condition defined in [SO], Section 3.1, pg. 47; 
Reduction: 

(f d (q a)) •w e [f,d, (q a)] 
where f = (fix [/, xa, t]e). 

Definition 2.3. We make the same assumptions as in the definition of inductive types. Let 
T and Ci, . . . , c n be new constant names. Then we can add the definition of the coinductive 
type 

' c i: (@i)(Jpl) 
Coinductive T [A]: Type := < \ 

c n : (0 n )(T pH) 

in the context T. Let V be the extension of T with this coinductive type definition. We 
have the same rules as for sum types, plus the following, where 5 and F" are valid context 
extensions of T': 
Cofixpoint: 

r',5r-U::A V, f : (5)(T u) h e: (5)(T u) 

r'h(cofix[/]e): (E)(Ju) U ' e| 

where C{f, e} is a side condition defined in [SO], Section 4.1, pg. 53; 
Reduction: if V', V" h v:: E, then 



Cases (f v) of < \ 

V [ ( c « xq^) 

where f = (cofix [f]e). 



(ci x Ql ) ' * ei 



/ 



ei 



Cases (e[f] f) of 



V 



8 



V. CAPRETTA 



We refer to |30| for the definition of the side conditions T> and C of the fixpoint and 
cofixpoint rules. Let us give only an intuitive reminder of their meaning. The side condition 
T>{f, t, e} guarantees that whenever the fixpoint function is applied to an argument in the 
inductive type, it performs recursive calls only on structurally smaller objects. The side 
condition C{f, e} guarantees that whenever the cofixpoint function is applied to obtain an 
element of the coinductive type, this element is productive [23], that is, it can be reduced 
to constructor form. 

We will often use a simpler notation for fixed and cofixed points. We write f = e[f] for 
f = (fix [/, Sa, t]e) or f = (cofix [f]e). Which one of the two is meant will be clear from the 
type. There can be ambiguity when the domain of f is an inductive type and its codomain 
is a coinductive type. In that case we state explicitly whether a fixed or cofixed point is 
meant. 

When coinductive types are considered categorically as the dual of inductive types, their 
formulation is different from the one given here. They are not recursive sum types like the 
inductive ones, but rather recursive record types, since records are the dual of sums. This 
is the way they are presented in [2Zj- Our formulation conforms to the intuitive conception 
of coinductive types as types of possibly infinite elements. Objects of coinductive types are 
built up by constructors as those of inductive types, but while inductive objects must be 
wellfounded, coinductive ones may be infinitely deep. This formulation is given in [23] • The 
equivalence of the two formulations is proved in |3()j . 



For every type A, we define a coinductive type whose elements can be thought of as 
possibly undefined elements of A. 

Definition 3.1. Let A be a type, that is, r h A: Type. Then we define 



We use the notation r a~ 1 for (return a) and \>x for (step x). 

Intuitively, an element of A v is either an element of A or a computation step followed 
by an element of A u . Since in coinductive types it is possible to define infinite elements, 
there is an object >>>■•• denoting an infinite computation. Formally, it is defined as 



We want to identify all terms of the form > k r a~ l as equivalent representations of the 
element a. We do it by defining an equality relation on A u that is a strengthening of 
bisimulation (see, for example, |44| [Tj ITT H I36| ) . First we define, inductively, when an element 
of A v converges to a value in A and, coinductively, when it diverges. 

Definition 3.2. 



3. Coinductive types of partial elements 




>' 



oo 



= >>' 




Coinductive Diverge [x: A"}: Prop := 

{ diverge: (x: A u ) (Diverge x) —> (Diverge >x) 

We use the notation x J, a for (Value x a) and x^ for (Diverge a;). 
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Our first example of a proof by coinduction shows that >°° diverges. This is trivial, 
but we give the proof to illustrate the style of derivation that is used to prove coinductive 
predicates. 

Lemma 3.3. (o 00 ) 1 . 

Proof. If we think of coinductive definitions as representing infinite objects, coinductive 
predicates are proved by infinite proofs. The infinite proof showing the truth of the state- 
ment is 

H = (diverge >°° (diverge >°° ■■■)): (>°°) T . 

It consists of an infinite sequence of nested applications of the constructor diverge, always 
with t>°° as first argument. At first sight this may seem a circular proof that doesn't prove 
anything. However, if we analyze it, we discover that it actually establishes what it alleges. 
Let us give names to the subterms of xo = >°°: 

Xo=>Xi Xi=>X2 X2=>X3 

Of course, they all coincide: xq = X\ = X2 = £3 = • • • = >°°. Let us call Hi the proof of Xj} . 
Again, it will be clear that we can use the same proof for every Hi. The first step of the 
proof constructs H$ from Hi : 

Ho = (diverge x\ Hi). 

This just says that if xi diverges, then xq must also diverge because it is obtained by adding 
one > to x\. In turn the proof Hi is constructed by 

Hi = (diverge x 2 H 2 ) 

and so on, producing the infinite proof, which now doesn't seem purposeless anymore: Every 
occurrence of diverge shows that the term contains a separate > constructor. 
In practice, we will define this proof H in terms of itself: 

H = (diverge t>°° H). 

Formally, this definition is valid because the recursive occurrence of H is an argument of 
diverge, that is, in coinductive jargon, H is guarded by diverge. This guarantees that H can 
be expanded to an infinite proof not containing any occurrence of H itself. [ ] 

Intuitively, A u contains copies of the elements of A plus a diverging element >°°. How- 
ever, A v is not isomorphic to A + 1, where 1 is the one element type, because divergence is 
undecidable. In fact, the proposition 

Vx: A". (3a: A.x j a) V x T 

is not provable, while the corresponding 

\/x: A + l.(3a: A.x = (inl a)) Vx = (inr Oi) 

is trivially true by case analysis. However, a different property, classically equivalent to the 
above decidability property, is constructively provable. 

Theorem 3.4. 

Vx: A v .{Sa: A.x j a) -» x T . 
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Proof. This is our first non-trivial proof by coinduction, so we take care of doing it in detail 
and explain how such proofs work. We know that a coinductive object can be defined 
in terms of itself, as long as the definition is productive, that is, it can generate leading 
constructors to an arbitrary depth. This is true for coinductive proofs as well, leading to 
the apparently paradoxical fact that we can assume the statement that we want to prove, 
provided that we use it in such a way that every step of the (infinite) proof can be generated. 

Let us see how this works specifically in our case. We give the name H to the proof 
that we are constructing: 

H: Vx: A v .{-Ba: A.x | a) -» x T . 

We now describe how this function is constructed. Let x be an element of A v . By case 
analysis we know that either x = r a~ 1 for some a: A or x = >x' for some other x' : A u . We 
consider separately the two cases. 

If x = r a~ l , then trivially 3a: A.x j a. The premise of the statement is then false and, 
therefore, the implication is trivially true. 

If, on the other hand, x = >x', let us assume that there is no a: A such that x j a. We 
have to prove that x diverges. The constructor diverge allows us to deduce this, if we can 
prove that x' diverges. Now we apply the proof H to x': If we can prove ->3a: A.x' J, a, 
then we can conclude that x' diverges. But this assertion is true because, if there were an 
a such that x 1 I a, then, by value_step, also x [ a against the assumption. 

In conclusion, H allows us to deduce that x' diverges and so, by diverge, that x diverges 
too, as desired. We used the proof H inside the definition of H itself; isn't this circular? 
No, because we used it to prove an hypothesis (x'^) that was generated by diverge. In the 
coinduction jargon, the occurrence of H is guarded by the occurrence of diverge. 

If you want to convince yourself of the soundness of this proof style, consider what con- 
crete proofs are generated by H in specific cases. For a converging element x = >>• • •> r a~ 1 , 
the proof is (H x). Let us expand it. Since x = >x' for x' =>•••> r a n , the second case of 
the proof applies: 

(H x) = (diverge x (H x')). 
In turn, the proof (H x') reduces similarly, and so on, until we reach the proof 
(H x) = (diverge x (diverge x" ■ ■ ■ (diverge r a n (H r a n )) •••))• 

Finally, (H r a~ l ) trivially reduces to a proof by ex falso quodlibet as described in the first 
case, in which H does not occur. 

On the other hand, if x = >°°, the described reduction procedure of (H x) continues 
indefinitely, generating the infinite proof 

(H >°°) = (diverge >°° (diverge >°° • • • )) 

of Lemma 13.31 This proof also does not contain any occurrence of H. □ 

From now on, proofs of coinductive properties are less prolix. We take it for granted 
that we can assume the validity of the statement that we are proving. In case of doubt, 
it can always be checked, intuitively, that the proofs are productive or, formally, that they 
satisfy the condition C{f, e}. The correctness of the proofs has been checked formally using 
the proof assistant Coq. 

Now all the elements are in place for the definition of equality of partial elements: It is 
also a coinductive relation. 
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Definition 3.5. Let Abe a type. We define equality on A v by 

Colnductive Eq^ [x,y: A v \: Prop := 

eq.value: (x,y: A u ;a: A)x [ a — > y [ a — »■ (Eq^ x y) 
eq_step: (x,y: A)(Eq^ x y) -> (Eq^ ox >y) 

We use the notation x = y for (Eq^ x y). 

Note that, since convergence and divergence are in general undecidable, the equality 
x = y is not equivalent to the proposition 

(3a: Ax | a Ay | a) V (x T Ay T ). 

A series of results can be proved easily, stating that the defined operations, relations, 
and predicates behave as expected. 

Lemma 3.6. For all x, y : A u and a, a±,a2'- A, we have 

x 1 — > y — > x = y 

x 1 — > x = y — > y 1 
v r -i i 

>x^ — > x^ 



1. 


xja^yja^ 


x = y 


2 


3. 


xj,a— >x = y— i 


• y 1 a 


4 


5. 


x | a — > x = r a n 




6 


7. 






8 


9. 


x | a — > -ix^ 




10 


11. 


x = y — > x = >y 




12 


13. 


r «i n 1 a2 — > ai = 


= a 2 


14 


15. 


V V 

x = y — > y = x 
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i T v 

x I a — > y 1 — > ->x = y 

>x = y^x = y 

V 

X = X 

V V V 

x = y^y = z^>x = z 

Proof. 1. By eq_value. 

2. Proof by coinduction. Assume i/ is the proof of the statement: 

iT: Vx,y : A u .x^ — > y^ — > x = y. 

Let x and y be diverging elements. Then they must be in the form x = >x' and 
y = >y', where x' and y' are also diverging. We apply the proof ii" to x' and y' to 
obtain x' = y' . By eq_step we also have x = y. The recursive application of H is 
guarded by eq_step. 

5. Assume x [ a. By value_return we have that r a~ 1 j. a. Thus, by eq_value we can 
conclude that x = r a n . 

13. Assume that r a\ n [ 02- Any proof H of this statement must be constructed by 
using value_return, since the only other constructor value_step gives a conclusion of 
the wrong form, that is, with a > constructor in the first argument. Therefore, it 
must be 

H = (value_return a ) 

for some a'. But, since (value_return a') is a proof of r a n J. a', we may conclude that 
a' = a\ = ct2- This is an example of proof by inversion; it consists in proving a goal 
by reasoning on the possible form of an assumption. 

6. Assume that x = r a n . We proceed again by inversion on this assumption. If H is 
a proof of this premise, it must have been obtained by an application of eq_value, 
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since the other constructor eq_step gives a conclusion with the wrong form, that is, 
with a > constructor in the second argument. Therefore, it must be 

H = (eq_value x' y' a' hi hi) 

for some x' , y' : A", a' : A, hi a proof of x' J. a', and hi a proof of y' J. a'. But this is 
a proof of x' = y', so we can conclude that x' = x and y' = r a~ l . Then hi is a proof 
of r a? I a' , from which we deduce, by point 13, that a = a'. But then hi is a proof 
of x [ a, and the conclusion is established. 

14. By coinduction: Assume that H is the proof of : Mx: A v .x = x. Any element x must 
be of one of the two forms: x = r a n or x = >x' . 

If x = r a n , we must prove that r a n = r a n . By value_return we have that r a n J. a', 
so, by eq_value, we have that r a n = r a n . 

If x = >x' we must prove that >x' = >x'. By .ff we have that x' = a/, so, by 
eq_step, we have the conclusion. The application of H is guarded by eq_step. 

15. By coinduction: Assume that H is the proof of Vx,y: A v .x = y — > y = Assume 
x = y and let /i be a proof of this premise. We proceed by inversion on the proof 
h. It must have been obtained by applying one of the two constructors eq_value or 
eq_step. 

If h = (eq_value x y a' hi hi), with hi a proof of x [ a' and hi a proof of y j a!; 
then we just have to apply the same constructor with inverted arguments to obtain 
the desired goal: (eq_value y x a' hi hi) is a proof of y = x. 

If h = (eq_step t>x' >y' h'), with x = >x', y = >y', and h 1 a proof of x' = y'\ then 
we apply H to x', y', and h! to obtain y' = x', and then we have y' = > y' = > x' = x 
by eq_step. The application of H is guarded by eq_step. 

7. By inversion on the proof of the premise > x [ a, which can only have been obtained 
by using value_step on a proof of x | a. 

11. By coinduction: Assume that H is the proof of Vx,y: A v .x = y — > x = >y. Assume 
x = y and let h be a proof of this premise. We proceed by inversion on h. 

If h = (eq_value x y a! hi hi), with hi a proof of x J. a' and hi a proof of y [ a'; 
then, by value_step, from hi we can deduce >y j a'. By eq_value, we conclude that 
x = >y. 

If h = (eq_step >x' >y' h'), with x = >x', y = >y', and h! a proof of x' = y'; 
then we apply H to x',y', and /i' to obtain x' = >y'. By eq_step we then have that 
x = >x' = >>y' = >y f . The application of H is guarded by eq_step. 

12. By inversion on the proof of the premise >x = y using point 7 in case eq_value was 
used and point 11 in case eq_step was used. 

3. Assume that x [ a and let h be a proof of this premise. We proceed by induction 
on the structure of h. 

If h = (value_return a) : r a~ 1 j a then we have to prove that if r a n = y then y [ a. 
By point 15, y = r a n and, by point 6, y j a. 

If h = (value_step x' a h') with x = >x' and h a proof of x' J. a, we know by 
induction hypothesis that Vy: A u .x' = y — > y [ a. Assume now that x = y, that 
is, >x' = y. By point 12 we can deduce that x' = y, and therefore, by induction 
hypothesis, that y [ a. 

8. By inversion on the proof of the premise >x^ . 

9. By induction on the proof h of the premise x [ a. 
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If h = (value_return a), with x = r a~ l , we have to prove that -i r a~ l1 \ This is true 
because it is impossible to build a proof of r a~^. If such a proof existed, it should be 
obtained by an application of the only constructor diverge of the predicate Diverge. 
But such a proof (diverge x h) can only prove statements in the form >x^ . Since in 
our case the argument of Diverge is r a n , we reach a contradiction. This proof is a 
degenerate case of proof by inversion: By analyzing the possible form of the proof 
we conclude that no form is possible. 

If h = (value_step x' a h!) with x = >x' and h a proof of x' J. a, we know by 
induction hypothesis that ->x'^ . To prove that ->x\ assume that x\ that is >x'\ 
By point 8 we then have that x'\ against the induction hypothesis. Having reached 
a contradiction, we conclude that ->x^ . 
4. By coinduction: Assume that H is the proof of Vx,y: A u .x^ — > x = y — > y^ . Assume 
x = y and let h be a proof of this assumption. We must prove that x^ — > y^ . We 
proceed by inversion on h. 

Suppose h = (eq_value x y a' h\ hi) with h\ a proof of x [ a' and hi a proof 
of y I a'. If we assume that x^ then we obtain a contradiction by point 9. The 
conclusion then follows by ex falso quodlibet. 

Suppose h = (eq_step >x' >y' h'), with x = >x', y = >y', and h! a proof of 
x' = y' . From the assumption x\ that is >x'\ and point 8 we derive x'\ We apply 
H to this proof and h' to obtain y'\ By diverge we then obtain >y'\ that is, y^ . 
The application of H is guarded by diverge. 
10. By induction on the proof h of the premise x { a. 

If h = (value_return a), with x = r a n , we have to prove that y^ — > r a n 7^ y. 
Assume that y^ and r a n = y. By point 15, y = r a n ; by point 6, y [ a; by point 9, 
-iy^ against the hypothesis. Discharging the second hypothesis, we obtain -i r a n = y. 

If h = (value_step x' a h!) with x = >x' and h a proof of x' [ a, we know by 
induction hypothesis that y^ — > —\x' = y. Assume that y\ so ->x' = y by induction 
hypothesis. We have to prove -<x = y, that is, -i>x' = y. Assume that >x' = y. 
By point 12 we then have that x' = y, contradicting a previous conclusion. Having 
reached a contradiction, we conclude that —>x = y. 
16. By coinduction: Assume that H is the proof of Vx, y, z : A v .x = y^y = z^x = z. 
Assume h\ is a proof of x = y and /12 is a proof of y = z. We proceed by inversion 
on these proofs: We have three cases. 

Suppose hi = (eq_value x y a' k\ ^2) with k\ a proof of x J. a' and a proof of 
y I a'. By point 3, from ki and hi we can derive that z J. a'. By fci and eq_value, it 
follows that x = z. 

Suppose /i2 = (eq_value y z a! ki ks). The proof is similar to the previous case. 

Suppose h\ = (eq_step x' y' h[) with x = >x',y = >y', and a proof of x' = y'; 
and /12 = (eq_step y' z' h' 2 ) with y = >y',z = >z', and h' 2 a proof of y' = z'. We 
apply H to x',y',z' and the proofs /i^ and /i 2 , obtaining that x' = z'. By eq_step it 
follows that >x' = >z', that is, x = z. The application of i7 is guarded by eq_step. 

□ 

Points 14, 15, and 16 of the previous lemma can be summarized in the following. 
Theorem 3.7. For every type A, Eq^ is an equivalence relation on A v . 
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It follows that the pair (A u , Eq" A ) is a total setoid 0. 

The finite elements of A v are those that have a value in A. They can be characterized 
directly by an inductive predicate. 

Definition 3.8. 

. i ■ ■-■ ■ r Am f finite_return : (a: A)(Finite r a~ 1 ) 

Inductive Finite x: A \ : Prop := < ,. . ^ , .„//„ . . s 

L ' I Tinite_step: (x: A ) (Finite x) — > (Finite ox). 

Lemma 3.9. Vx: A^. (Finite x) <-> 3a: Ax j a. 

Proof. Prom left to right: by induction on the proof of (Finite x). From right to left: by 
induction on the proof of x J, a. □ 

Hereafter, we use the notation xi for (Finite x). 

A partial function from a type A to a type B is seen as a function from A v to B v . To be 
precise, we must require that a function /: A v — > f? 1 ' preserves equality: Vxi,X2: A v .x\ = 
X2 — ► (/ a?i) = (/ 2:2). In other words, / must be a setoid function. Using the notation of 
[TS] . this is written 

<^,Eq^)H<i^,Eq£). 
([— ►] is the functionoid constructors: Given two setoids, it constructs the setoid of functions 
between the two. Its elements are pairs consisting of a function and a proof that it preserves 
the setoid equality. The equality of the functionoid is the extensional equality on the first 
component, that is, the underlying function.) Anyway, we will use the simple definition and 
leave it to the reader to check that all the functions that we define (with one exception) 
preserve equality. 

A function is called strict if it always maps diverging elements to diverging elements. 
Since a strict function is always determined on the diverging elements and it must preserve 
equality, its type can be strengthened to A — > B u . 

The first partial functions that we define are just the lifting of the total functions. 

Definition 3.10. If /: A — »■ B, we define its lifting to the partial elements as 

/„ v = r (/ a y 

f u >y = >{f v y) 

Lemma 3.11. For every a: A, (/„ r a?) = r (/ a) n . 

A special case arises when we consider tuples and projections. The types A u x B v 
and (A x B) v are not isomorphic. We want to define a strict version of the projection 
functions. That is, the projection should diverge whenever either of the components of the 
tuple diverges. To do this, we first map A v x B v to (A x B) v : 

mixecLpair: A x B v -> (A x Bf 

r 6 n ^ r (a,6) n 



mixecLpair (a,y) = Cases y of 



>y' 1— > >(mixed_pair (a,y')) 



strict.pair: A" x B v -> (A x B) u 

. / \ y- r f r a~ l 1— > (mixed_pair (a, y)) 

strict_pair (x, y) = Cases x of < , , . . \ , '\. 

x ' ( >x i-> >(stnct_pair (x , y)) 
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The function strict_pair just moves all the steps outside the pairing constructor. Iter- 
ating strict_pair n times, we obtain strict_tuple n : (A u ) n — » (A n ) u . We use the notation 
<x±, . . . , x n \> for (strict_tuple n (xi, . . . , x n )). The strict projections are then defined by 

<: (A u ) n -> 4" 

7if = (iTi) u o strict_tuple n 

where 7r j : A n — > A is the standard projection. Note that (tt^ <xi, . . . , x n >) = Xj if and 
only if all the XjS converge or Xj diverges. 

4. Representation of partial recursive functions 

We show that every partial recursive function / : N n — 1 N can be implemented in 
type theory as f u : (N v ) n — > N u . We use the notation A — B to denote partial recursive 
functions from A to B, that is, any function obtained from the base functions zero, successor, 
and projections, by composition, primitive recursion, and minimization. Let us define f 
for every basic function and function-forming operations (see or any other generic 
introduction to recursion theory). 

Definition 4.1. By recursion on the definition of a partial recursive function /: N n — 1 N, 
we define its type-theoretic version (N")" — > N v . 
Zero: The zero function is the constant 0: 

0: N -> N 

x = 0. 

Since is a total function definable in type theory, we just put U = 0„. 
Successor: Since the successor function S is definable in type theory, we just put 
S" = S„. 

Projections: The projections are the functions 7rf defined in the previous section. 
Composition: Composition is the standard composition in type theory. If / : N k N 
and gi : N n — 1 N for 1 < i < k, then we define 

(fo(gi,...,g k )) v : (N u ) n -> W 
(fo{g u ...,g k )rx = (r 

Primitive Recursion: Let /: N n — 1 N and g: N n+2 — 1 N, and let h be defined by 
primitive recursion from / and g: 

h : N n+1 N 

h(x,0) = (fx) _ 

h {x, (S y)) = (g x y (h x y)). 

We first define a version hi of h by recursion (fixpoint) on the natural numbers: 

ti: (W) n -» N -» N" 
/i'ifl = (/" x) 

/i' x (S m) = (g v x r m~ l (h' x m)) 

and then lift it to the partial elements: 

h": (N^) n+1 -» N" 

x r m n = (/i' x m) 
h v x >y = >{h v x y). 
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Minimization: Let / : N n+1 — 1 N and let g be defined from / by minimization: 

g : N n N 

g x = least y such that (/ x y) = 0. 

To define the type-theoretic version of g we use an auxiliary function that has an 
extra accumulation parameter, defined by corecursion (cofixpoint) on the result: 

g l . ( N i/)n _^ N W W 

g' x i r m~ 1 = Cases m of 



. (S mO - >(</ x (S i) (/" (x, r (S »)">))) 

g' x i >y = >(g' i y) 
and then 

g v x = (g'x0(r (x, r 0^))). 

It is routine work, although quite long, to verify that the translations have the correct 
computational behavior. 

Theorem 4.2. Let f: N n — N be a partial recursive function. For every x: N n and y: N, 

(fx)=y (f V) = 

Proof. The proof is a lengthy routine use of the techniques illustrated in the previous section. 
For a formal proof we should first formalize part of recursion theory. First, we have to define 
an inductive type of codes of recursive functions generated by constructors corresponding to 
the base functions, composition, primitive recursion, and minimization. Then, we need to 
give an operational semantics that associates to every code a relation on natural numbers, 
the relation being the graph of the recursive function. Finally, we have to interpret the 
codes as functions on the type of partial elements, as shown above, and prove that this 
interpretation is sound with respect to the operational semantics. 

There are no conceptual problems in doing this, but a lot of technical work. We rather 
refer to Section El where we prove that it is possible to construct fixed points of functional 
operators. Since it is a known fact that all recursive functions can be realized by such a 
fixpoint combinator, the present statement will automatically follow. □ 

Let me stress the advantage of this approach in comparison with other methods to 
formalize general recursion in type theory. 

First of all, some of the techniques, for example that of Balaa and Bertot 3 and that 
of Barthe and others [7j |S] , do not address the question of partiality but present ways of 
extending the definition schemes for total recursive functions. The method of Bove and 
Capretta El El E] allows the definition of partial functions by restricting them to 
their domain of convergence. However, it is still not possible to apply a function freely 
to an argument, but it is necessary first to prove that the argument satisfies the domain 
predicate. 

With coinductively defined types of partial elements, functions can be freely applied to 
arguments without the need of extra logical information. 

5. Nested recursion 

Theorem 14.21 says that every computable function can be represented in type theory. 
In this section we look at some specific examples of nested recursive functions. In general 
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we represent a partial function from A to B as an element of A — > B u , since the values on 
the diverging elements of A must, by strictness, diverge. 

We start with the simplest example of nested recursion |15j : 

nest : N -» N 
nest = 

nest (S n) = (nest (nest n)). 

It is clear that nest is constantly 0, so we can implement it in type theory as the constant 
0. However, we are interested in the form in which the function is defined. More complex 
nested functions do not have a simple non-nested presentation. We see an example later. 
We represent nest in type theory by using the method of accumulation of results and tail 
recursion: 

cnest : N x N -> W 

cnest (n, 0) = r n n 

cnest (0, (S m)) = >(cnest (0,m)) 

cnest ((S n), (S m)) = >(cnest (n, m + 2)). 

It is easy to check that (cnest (n,m)) computes the value (nest" 1 n), so the extra parameter 
m keeps track of the number of nested iteration of nest. Now we can define in type theory 

nest: N -> W 

nest n = (cnest (n, 1)). 

Let us look at a more interesting example. We define a class of nested recursive func- 
tions, that we nickname the devil's nest. Let A be a type, T a decidable subset of A, 
representable in type theory by a predicate P: A — > Prop such that Va : A.(P a) V —>(P a). 
Let i: A — > A and g: T — > A (that is, g: (x: A)(P x) — > A). Then the function dev^.j ^ is 
defined as 

dev T)i)5 : A -± A 

{(go) if a € T 

(devT,i,g {devr,i,g (« «)) otherwise 
We formalize this function in type theory by using, as before, an extra parameter that keeps 
track of the number of nested calls to devT,i,g- 

dev aux : A x N -> A v 



dev TiiiS 



dev aux (a,m) 

f r f / ^ r (aay \ 

Cases m of < if(Po) 
v [ (Sm')w>(dev aux ((go),7n')) J 

^(devaux ((i a),(S m))) otherwise 

We have left the proof argument of g implicit to simplify notation: Rigorously, we should 
have written {g a h) in place of (g a), in the case where (P a) is true, where h is the proof of 
(P a) guaranteed by the branch case. Similarly to the previous case, the original function 
is recovered by specifying an initial value for the accumulation parameter, in this case : 

dev T ,i, g : A —> A" 

dev T ,i,g a = (dev aux (a, 0)). 

Another interesting example occurs when a recursive call is followed by a call to another 
function, as in the definition of primitive recursion but without a decreasing argument. Let 
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h: A — > A. We want to formalize the following function: 

d a = \(9 a) if x e T 

1 (h (dh (i a))) otherwise. 

We use a continuation-passing style translation, using an extra functional parameter: 
d aux : (A — > A v ) xA^A" 

(k (g a) if (P a) 

I i>(d a ux (fe ° h, (i a))) otherwise 



daux {k, CI 

and then 



d h : A^A V 



*h- 

dh a = (d aux {Xx. r x^,a)). 
Finally, we put the two preceding examples together to obtain the most general version 
of the devil's nest: 

devil T>i>fl>h : A^A 

(g a) if a £ T 

(h (dev\\T,i, g ,h (dev\\T,i, g ,h (i a))) otherwise 



devil T>i>fl>h a 



This function is formalized by 

devil aux : (A -» A") x N x A -> 

(fe, m, a) 

| i— > fe a) 




if (P a) 



[ (S m') i ^ t>(devil aux (k,m',(g a)}) 
(k o /i, (S m), (i a))) otherwise 



and then 



dey\\ T ,i,g,h- A^B V 

dev\\T,i, g ,h a = (devil aux {Xx. r x n , 0, a)). 
There is another possible generalization: Instead of having just one nested recursive 
call, we could have a variable number of nestings. It is clear that then we just have to 
modify the definition by adding the nesting number to the accumulation parameter. 

6. Fixed points of function operators 

We want to construct functions defined as fixed points of function operators. Let 
F: (A — > B v ) — > (A — > B v ) be such an operator. Our goal is to define a function Y(P) : A —> 
B v such that [F Y(P)) is extensionally equal to Y(P). Moreover Y(P) must be minimal 
with respect to convergence. 

Some conditions must be imposed on F for the construction to be possible. Since F 
is supposed to represent a generic recursive scheme, one sensible condition is finitarity: We 
assume that, to compute a specific result, F uses its arguments only on a finite number of 
inputs. 

Definition 6.1. We say that F: (A -> B v ) -> (A -> B u ) is finitary if it satisfy the 
following condition: For every function / : A — > B u and every argument a : A such that 
(F f a) converges to some value, that is, (F f a) [ b for some b: B; there exists a finite 
number of arguments a±, . . . , a n : A such that / converges on each of them, (/ ctj) J. 6j, and 

V 5 : A - B". A- =1 (ff a,) | 6, (P 5 a) | 6 



GENERAL RECURSION VIA COINDUCTIVE TYPES 



19 



In words, F is finitary (or continuous) if its results depend only on the values of the function 
argument on a finite set of inputs. 

Notice that all operators used in recursion theory, for example those needed for the 
constructions of Section are finitary. 

We will use three consequences of finitarity: first, a unitary operator preserves exten- 
sional equality; second, it preserves convergence order; third, its least prefixed point can be 
constructed in a countable number of steps. 

In the rest of this section, let F be a flnitary operator. 

Definition 6.2. Extensional equality between two functions fi,f2- A — > B u is defined as 

/i = /2^Va:A(Aa) = (/ 2 o). 
We say that F is extensional if 

V/i, h ■ A -> B v .fi = f 2 - (F h) = (F f 2 ). 
Lemma 6.3. F is extensional. 

Proof. It follows trivially from the stronger Lemma 16.71 □ 
A stronger property holds: F preserves the order on functions given by convergence. 

Definition 6.4. The convergence order between partial elements is defined coinductively 
by 

Colnductive Le A [x,y: A v \: Prop := 

le_value: (x, y : A u ; a : A)x [ a — > y { a — » (Le^ x y) 
le_steps: (x,y: A u )(Le A x y) — > (Le^ >x >y) 
leJstep: (x,y: A u )(Le A x y) -» (Le^ >x y) 
We use the notation x C y for Le^ x y. 

Intuitively, iCi/ holds if x is obtained from y by adding some (potentially infinite) > 
steps. 

The order between functions is defined pointwise on their values, that is, if f±, ji : A — > 
B u , then we define 

/lE/2^Va:A,(/io)C(/ 2 a). 

It is immediate that equality = is a subrelation of the order C , since the order 
is defined by three constructors of which the first two correspond to the constructors of 
equality. It is also easy to prove that C is a transitive relation and it is reflexive and 
antisymmetric with respect to = . The relation C is equivalent to implication between 
convergence statements. 

Lemma 6.5. The proposition x C y is equivalent to V6: B.x { b — > y { b. 

Proof. Prom left to right, by induction on the proof of x [ b. From right to left, by 
coinduction and cases on x. □ 

By antisymmetry we can conclude that the following characterization of equality holds. 

Lemma 6.6. The proposition x = y is equivalent to V6: B.x J, b y J. b. 

Lemma 6.7. The operator F preserves the convergence order, that is, 

V/i, h ■ A -> B v .f x Qf2^(F h) C (F h). 

Proof. It is a straightforward consequence of finitarity. □ 
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We want to define the least fixed point Y(F) : A — ► B v ' . Intuitively, we run in parallel 
all the iterations of F, starting with the always undefined function, and we take as result 
the outcome of the first converging run. If we call _!_ the function Xa.\>°°, then we have: 

Y(i ? ) a = (-La) if it converges; otherwise 

((F _L) a) if it converges; otherwise 
((F 2 _L) a) if it converges; otherwise 

(This intuitive explanation is not precise: Since we cannot decide convergence, the actual 
function choses the first of those values that converges.) Formally, we start by defining a 
function that computes the first converging of two partial objects. 

Definition 6.8. The function computing the first converging element of a pair is defined 
corecursively by 

fstconv :B V ^B V ^B V 
fstconv r 6 n y = r b~ l 
fstconv > x r 6 n = r b~ l 
fstconv >x >y = i>(fstconv x y). 
We use the notation x X y for (fstconv x y). 

SoxXy returns the first between x and y to converge. Note that this is the only function 
defined so far that does not preserve equality: The term (> nr &i n ) X (> mr &2 n ) converges to 
bi if n < m, to 62 otherwise, without b± and 62 being necessarily equal. The result of the 
function depends sensibly on the number of > steps in the arguments. However, our use 
of fstconv to obtain fixed points is such that the arguments are always compatible, that 
is, they never converge to different elements, although it may be possible that one of the 
two converges while the other diverges. In this case the result is equality preserving. (The 
notion of compatibility of partial elements is due to Tarmo Uustalu.) 

Lemma 6.9. For every y: B v , X y) = y. 

Proof. Proof by coinduction. Assume H is the proof of the statement: 

H:Vy:B v .(>°°Xy)^y. 

In the computation of >°° X y the first equation in the definition of fstconv is not used. The 
second or third equation is applied, according to the structure of y. If y = r b~ l , then the 
second equation itself states the truth of the lemma, by reflexivity of = . If y = > y' then, 
by the third equation, (>°° X y) = (>t>°° X>y') = >(\> QO X y'). By the coinductive hypothesis 
H applied to y', i>°° X y' = y' . By eq_step we then have that >(>°° X y') = >y', that is, 
(t>°° Xy) = y, as desired. The recursive application of H is guarded by eq_step. □ 

Obviously, fstconv converges only if one of its arguments converges. 
Lemma 6.10. For every x,y: B v and b: B, (xXy)[b—^x[b\/y[b. 



Proof. By induction on the proof of (x Xy) I b. 



□ 
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The vice-versa is also true, but we have to be careful to take into account the non- 
extensionality of fstconv: if, for example, x converges to b, it is not guaranteed that x X y 
also converges to b, because y may converge to a different b' in a shorter time. However, if 
x is lower that y in the convergence order, we know that they cannot converge to different 
values. 

Lemma 6.11. Let x,y: B v and b: B, assume that x C y; then x J, b — > (x X y) [ b. 

Proof. By induction of the proof of x J. b. □ 

We can recursively define an infinitary version of fstconv. 

Definition 6.12. The operation of computing the first converging element of a sequence 
is defined corecursively by 

parallel_search_aux: (N -> B u ) -» N -> B v -> B v 
parallel_search_aux / n r b~ l = r b~ l 

parallel_search_aux f n >x = > parallel_search_aux / (S n) (x A (/ n)) 

paralleLsearch: (N -» B") -> B" 
paralleLsearch / = parallel_search_aux / i>°° . 

oo oo 

We write (x X n f) for (parallel_search_aux f n x) and A / for (paralleLsearch /). 

Infinitary versions of the lemmas that we proved for fstconv hold for parallel_search, with 
corresponding additional hypotheses to take non-extensionality into account. 

oo 

Lemma 6.13. For all f : N -> B v and b: B; (A /) { b -> 3n.(f n) J. 6. 

Lemma 6.14. Lei /: N — > B v be increasing, that is, Vn,m.n < m — > (/ n) C (/ m); i/ 

oo 

6: B andn: N, t/ien (/ n) J, 6 -> (A /) | b. 

oo 

Lemma 6.15. Let f-.n^ B u and y: B u ; i/Vn: N.(/ n) C y, ^en A / C y. 
Let us call fcj the ith iteration of F on the function that always diverges: 

k = Xx.>°° 
k n +l = (i 7 M- 

Convergence of the fcjS is stable with respect to the index i. 

Lemma 6.16. For every n,m: N smc/i i/iai n < m, k n C fc m ; equivalently 

Va: A, 6: B.(/c„ a) | 6 (A; m a) | 6. 

Proof. We prove by induction on n that fc„ C k n+ i, the statement follows by transitivity of 
C . The base case is obvious since ko has the constant value >°°, the least element of the 
convergence order. The inductive step follows immediately from Lemma 16.71 O 

Finally, we can simply define the fixed point of F pointwise as the result of running all 
of the kis in parallel. 

oo 

Definition 6.17. Y(F) = Xa: A. X{\n.{k n a)). 

If Y(F) converges on a certain element a, it must give the same result as one of the fc,s. 
Lemma 6.18. (Y(F) a) | b <^ 3n.(k n a) j b. 

Proof. From left to right it follows from Lemma 16.131 From right to left it follows from 
Lemma 16.141 □ 
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The combination of the previous lemmas provides a proof of the soundness of Y(F) as 
a least fixed point of F. 

Theorem 6.19. Y(F) is a fixed point of F : (F Y(F)) e = Y(F). 

Proof. We prove that (F Y(F)) C Y(F) and Y(F) C (F Y(F)). The statement follows from 
antisymmetry of C . 

To prove that (F Y(F)) C Y(F) we just have to show, by Lemma l6.5[ that for all a: A 
and b: B, if (F Y(F) a) j b then also (Y(F) a) j 5. By finitarity of F, (F Y(F) a) [b implies 
that there exist ai, . . . , a& : A and b\, . . . ,bk- B such that (Y(F) a{) [ bi and the result of 
(F Y(F) a) depends only on these arguments. By Lemma l6.18( we have that (fc n . aj) j 6j 
for some indexes rij. Let n be the largest of the rijS. By Lemma 16, 161 (k n a^) j 6j for every i. 
Therefore, by finitarity of F, (F /c n a) [ b. But (F k n ) = k n+ i, so (A; n +i a) j 6. By Lemma 
I6~T%1 it follows that (Y(F) a) [ b, as desired. 

In the other direction, we prove that Y(F) C (F Y(F)). Let a: A, we show that 
(k n a) C (F Y(F) a) for every n; the statement follows by Lemma 16.151 For n = it is 
trivial because (ko a) = >°°. For non-zero values we have (k n+ i a) = (F k n a) and, by 
Lemma 16.71 we just need to prove (k n a) Q (Y(F) a). But this follows easily from Lemmas 
IH31and l?nHl □ 

Theorem 6.20. Y(F) is the least prefixed point of F: if f is any prefixed point of F, that 
is, (F /) C /, then Y(F) C /. 

Proof. We prove by induction on n that k n C /. For n = it is obvious. Assume that 
&n E /• Then, by Lemma l6~7l k n+ \ = (F k n ) Q (F f) Q f and we are done. The statement 
then follows from Lemma 16.151 □ 

A method to construct fixed points of function operators is described by Balaa and 
Bertot [2], but in their case it is necessary to prove that recursive calls are decreasing with 
respect to some wellfounded order. The advantage of our method is that it produces fixed 
points of every finitary operator, without requiring any additional logical information. 

7. Lazy interpretation 

The formalization of partial elements of A as terms of type A v gives a strict interpre- 
tation of functions. There cannot be a partial evaluation of a term: If x: A v ', then we can 
investigate its shape, that is either a result r a~ l or a step >x'. In the latter case, we can 
go on investigating the shape of x'. As long as we get step cases, we have no information 
about the result. When we get a result r a~ l we get all the information. 

In functional programming, it is useful to be able to compute only partial information 
about a result. For example, we may need to know that a certain natural number result is 
a successor, without computing it completely. An instance in which this capacity can be 
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used in computation is the following example of two mutually defined recursive functions: 

slothi: N N 
slothi = 

slothi (S n) = (slothi (sloth2 n)) + (sloth2 n) 



sloth 2 : N N 
sloth 2 = 

sloth2 (S m) = 



(sloths (slothi m)) +m if (slothi m) <m 
otherwise 



It is easy to see that the computation of (slothi 13) diverges, independently of whether the 
evaluation is strict or lazy. However, if we evaluate it partially, we obtain 

(slothi 13) = (slothi (sloth 2 12)) + (sloth 2 12) = (slothi 19) + 19. 

When computing (sloth2 14), we need to decide whether (slothi 13) < 13. With a strict 
evaluation strategy, the computation of (slotl^ 14) diverges because the evaluation of 
(slothi 13) diverges. However, with a lazy evaluation strategy, we can determine that 
(slothi 13) = (slothi 19) + 19 > 13 and therefore (sloth 2 14) = 0. This shows that a lazy 
evaluation strategy may converge when a strict one diverges. 

To formalize lazy evaluation we have to modify the formalization of partial elements 
for inductive types. For an inductive type T, we define the type of its partial elements as 
the coinductive type with the same constructors plus a constructor for a computation step 
that does not yield any information. 

Definition 7.1. Let T be an inductive type, that is, T is defined in type theory by 

' c a : (8i)T 
Inductive T : Type := < • 



The type of lazy partial elements of T is 
Colnductive ^T : Type 



k c n : (9„)T. 
f ci: (Qx[J := V J]YJ 

c n : (8 n [T := »T}YT 
step: U J -> "T. 



As before, we use the notation >x for (step x). We make a slight abuse of notation by using 
the same constructor names for T and U T. 

This was my original formalization of partial elements (see Chapter 7 of ^2]). The 
version A u is a simplification suggested to me by Herman Geuvers and Peter Aczel. 

As an example, let us see how this variant produces the right computation behavior for 
the slotl^ function. First of all, the type of lazy natural numbers is 

0: 

Colnductive V N : Type := { S^N-^^N 

>: -» "N. 
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Here are the lazy versions of addition and order, addition is defined by corecursion on its 
result and order is denned as an inductive relation: 



This definition of order is not reflexive, because it is not possible to prove >°° u < >°°, 
but we adopt it for our example for simplicity. The reader should find it easy to modify it 
into a reflexive relation. 

Returning to our example, the conditioned equation in the definition of sloths produces 
the the statement (sloth i 19) u + 19 u < 13. Contrary to the strict case, we can now evaluate 
this statement to a truth value. By the definition of v + this becomes 



By inversion, if this statement were provable, the only applicable constructor would be <s, 
so S 18 (slothi 19) u < S 12 should also be provable. Repeating this step 13 times, we get 
S 6 (slothi 19) u < 0. But this statement does not match the conclusion of any constructor of 
thus it is not provable. We conclude that our original statement was not provable. 



The categorical notion of (strong) monad is a useful abstract description of computation. 
Eugenio Moggi studied this relation in a series of works [451 1461 II 1 j . We will show that the 
operator mapping a type A to the type of partial elements A v gives a computational monad 
in Moggi's sense. We recall the notion of monad in extension form, or Kleisli triple. The 
definition is taken from jllj . Definition 3, pg. 45. 

Definition 8.1 (Kleisli triple/monad in extension form). A Kleisli triple over a category 
C is a triple (T,t?,_*), where T: \C\ -> \C\, rj A : A -> TA for A € |C|, /* : TA — > TB for 
/ : A — > TB and the following equations hold: 

• /* o VA = f for / : A -> TB; 

• g* of* = (g* o /)* for /: A -» TB and g: B -> TC. 

The intuitive understanding of a Kleisli triple is that, for a type of values A, TA is 
the type of computations of elements of type A. The unit tja maps a value a to the trivial 
computation that just returns a. A function / : A — > TB that maps values of type A to 
computations of type B can be extended to computations: /* : TA — > TB is the program 
that, given a computation x of type A, first computes it and, if it gives a value a, applies / 
to it. 

In the present case, C is the category of setoids in type theory The operator T maps 
a type A to the type of partial elements A v . To be precise, we must define this operation on 
setoids. This is not difficult, it is just necessary to identify elements of A v that give equal 
results according to the book equality of the setoid. The details of the definition are left 
to the reader. Also for the other components of the monad, we define them on types and 



x u +0 = x 

x»+(Sy) = S (x % y) 
x v + >y = >{x v + y) 



Inductive v < : -» U N -> Prop := 



' le : (y: U N)0 v < y 



le s : (x,y: ^N)x v < y -> (S x) u < (S y) 
' le^i: {x,y: v n)x v <y^{>x) v <y 
le s tep,r: (x,y: u n)x v < y -> x v < (>y) 



S 19 (slothi 19) u < S"0. 



8. Partiality as a monad 
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leave to the reader the routine extension to setoids. The unit of the monad rj is simply the 
return constructor of A u . If /: A — » B u , then /* : A u — > 5" is defined by 



The equations for a Kleisli triple are satisfied. The proof of this fact is routine. 

Theorem 8.2. The triple return, _*) is a Kleisli triple on the category of setoids. 

A more powerful notion is that of strong monad. This is a monad in which a pair 
value-computation can be turned into the computation of a pair. The definition is taken 
from |45j . 

Definition 8.3. A strong monad over a category C with finite products is a monad (T, 77, /i) 
together with a natural transformation tA,B '■ A x TB — > T(A x £>) satisfying the following 
equations: 

• T(r A ) o = r TA ; 

• r(aA,B,c) tAxB,C = tA,BxC (^A X £b,c) ° aA,_B,TC; 

• *A,B o (icU X ?7 B ) = 7]AxB; 

• *A,S ° (icU X = /J^xB ° T{t A ,B) ° tA,TB- 
where r and a are the natural isomorphisms 

• r A : 1 x A -> A; 

• a4 >B ,c : (i x B) x C -> yl x (6 x C). 

Moggi |3H] shows that the pure A-calculus can be interpreted inside strong monads. 
In the present case the natural transformation t can be defined by 



Theorem 8.4. The quadruple (_*', return, _*, t) is a strong monad. 

A thorough study of this monad is the subject of a forthcoming article in collaboration 
with Thorsten Altenkirch and Tarmo Uustalu. 



During the Dagstuhl Seminar on Dependently Typed Programming in the Summer of 
2004, I discussed partiality in type theory with Thorsten Altenkirch and Tarmo Uustalu. 
Their comments, then and later, were a valuable contribution to this article. Ana Bove read 
the article very carefully. She had many insightful comments and suggestions for improve- 
ment. She also signalled several typos. Thanks to her I was able to improve it considerably. 
I am also indebted to two referees who gave constructive criticism and suggestions for im- 
provement. 
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